SEC Approves FINRA Rule Amendments Requiring Information Provided To Them Via A Portable Media Device Be Encrypted
[24568]
October 1, 2010
TO: BANK, TRUST AND RECORDKEEPER ADVISORY COMMITTEE No. 32-10BROKER/DEALER ADVISORY COMMITTEE No. 39-10
TECHNOLOGY COMMITTEE No. 10-10 RE: SEC APPROVES FINRA RULE AMENDMENTS REQUIRING INFORMATION PROVIDED TO THEM VIA A PORTABLE MEDIA DEVICE BE ENCRYPTED
In June, the Securities and Exchange Commission sought comment on a FINRA proposal to revise FINRA Rule 8210, which governs the provision of information to FINRA in connection with an investigation, complaint, examination, or adjudicatory proceeding. This week, the Commission approved the proposed amendments, which are intended to protect non-public personal information or confidential information provided to the FINRA from improper use by unauthorized third parties. [1] As a result, FINRA Rule 8210 now requires that when information is provided to FINRA via a portable media device: (1) such information must be encrypted using “an encryption method that meets industry standards for strong encryption;” and (2) FINRA staff must be provided the confidential process or key regarding the encryption in a communication separate from the encrypted information itself. As used in the rule, “portable media device” means a storage device for electronic information including, but not limited to, a flash drive, CD-ROM, DVD, portable hard drive, laptop computer, disc, diskette, or any other portable device for storing and transporting electronic information.
The Institute had filed a comment letter supporting the proposal and reiterating our view that regulatory authorities should ensure that their internal systems provide protection of non-public personal information they receive from registrants commensurate with the duty imposed on registrants to protect such information. [2] FINRA noted, in response to our recommendation, that FINRA “has a ‘robust and current information security policy.’” [3]
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] See SEC Release No. 34-63016; File No. SR-FINRA-2010-021 (September 29, 2010) (the “Adopting Release”). While the Adopting Release does not include the rule text, it is available on pp. 3-4 of FINRA’s June 2010 filing of the proposal with the Commission: http://www.finra.org/web/groups/industry/@ip/@reg/@rulfil/documents/rulefilings/p121569.pdf.
[2] See Institute Memorandum to Technology Committee No. 7-10, Broker/Dealer Advisory Committee No. 21-10, and Bank Trust Recordkeepers Advisory Committee No. 15-10 [No. 24374], dated June 22, 2010.
[3] Adopting Release at p. 5.